Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Protecting text fields from html code

Posted on 2007-10-09
14
Medium Priority
?
211 Views
Last Modified: 2010-04-09
I have a client who has been using a HTML form questionaire for quite sometime.  Recently she's been receiving 2-3 messages a day through this form with the text fields filled out with html code directing here to porn links etc.  

How do I protect the text fields from accepting html code.  They should only accept text only.  It's a simple html form.

Please advise.  Thanks in advance for your input!
0
Comment
Question by:rexnkaren
  • 7
  • 6
13 Comments
 
LVL 8

Accepted Solution

by:
netmunky earned 2000 total points
ID: 20045900
is the problem that she is receiving questions with porn links, or that the questionaire is posting porn links on her website?

to block mallicious code from form submits, there are 2 basic steps you can do:

1) require a captcha. freecap (http://www.puremango.co.uk/cm_php_captcha_script_113.php) is very easy to implement.
2) don't display any user entered data that is not passed through htmlentities (php.net/htmlentities, or other language equivilant). this will change the link to the literal message <a href="....">etc. It doesn't block the spam, but at least it prevents the spammer from getting the backlink they are going for, and prevents you from spending your pagerank on them.

as added steps, you can check blacklists (http://pear.php.net/package/Net_DNSBL/docs/1.3.0/Net_DNSBL/Net_DNSBL.html) or require email validation from users before activating questions/postings.
0
 

Author Comment

by:rexnkaren
ID: 20045925
The form does not post anything back to the site is only submits via email to my client.  She has been getting them with porn links, talk of incest & msc.  Is it ok to copy & paste her lates email the way it came into her?  It doesn't have any pics or anything.  Just html links.
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20045934
if it is simply just emailing her the information, i would suggest adding the freecap captcha to the form. this will prevent any submitions where the person does not enter what they see in the image

http://en.wikipedia.org/wiki/Captcha
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:rexnkaren
ID: 20045957
Thank you.  I'll check it out and return to update & award points if appropriate...
0
 

Author Comment

by:rexnkaren
ID: 20046029
At first glance I'm seeing any directions on how to use this software.  ?  I've downloaded but now what?
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20046068
on the HTML form you would include:
<img id="freecap" src="/freecap/freecap.php" /><br/>
<input type="text" name="captcha" id="captcha" /><br/>
Cannot read the image?  <a href="#" onclick="document.getElementById('freecap').
src='/guestbook/freecap/freecap.php?'+Math.random();">Click Here</a><br/>


in the form submission, you would have:
    session_start();
    if( !isset($_POST['captcha']) ||
        !isset($_SESSION['freecap_word_hash']) ||
        $_SESSION['hash_func']($_POST['captcha']) != $_SESSION['freecap_word_hash'] )
    {
      unset( $_SESSION['freecap_word_hash'] );
      die("The word you entered did not match the image.<br/>");
    }


you can give more friendly error messages if you want, but that is the basics.
0
 

Author Comment

by:rexnkaren
ID: 20046094
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20046106
html is not a PHP file

you can only use freecap if you are using PHP for the form handling. you can not put the PHP source code into a static HTML file.
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20046108
you're also using FormMail.cgi, which I likely to be PERL, not PHP
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20046116
if you're usign FormMail from Matt's Script Archive, check out http://www.formmail.com/captcha/
0
 

Author Comment

by:rexnkaren
ID: 20046121
I'm going to check it out.  Please don't give up & desert me.  Thank you!  (0:
0
 

Author Comment

by:rexnkaren
ID: 20046137
Hmm...so, if I want to use the freecap I would need to build a form and submit without formmail?  I guess I'll need to check out how to do that.  Would you be able to write the code to put all this together?  I can write another question so you can have more points.  Is that kosher?
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20046195
you can download sample php form to email script here: http://formtoemail.com/
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
The first step to building an amazing About page is to figure out what you want the page to say about your company. You then must grab the attention of the reader, boast a bit, tell a story and let others brag about you. With a little bit of thought…
In this tutorial viewers will learn how to position overlapping items using z-index in CSS. They will also learn the restrictions on the z-index property.  Create a new HTML document with an internal stylesheet.: Create a div in CSS and name it Red.…
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question